Sweden’s plan to deter a Russian digital attack

What does "total defense" mean for Sweden? In the case of an attack on the country, it plans to mobilize the population and industry for all domains of warfare, including cyber.

WASHINGTON — As Sweden seeks to revitalize its “total defense” concept, it will rely heavily on its private technology industry to develop new protections from cyberattacks.

The blueprint, which would see the entirety of Sweden activated to repel an invasion, was laid out by Defence Commission head Bjorn von Sydow and commission secretariat chief Tommy Akesson during a February interview with Defense News.

While Sweden had plans throughout the Cold War to militarize the nation in case of an attack, government officials let those plans expire as the country’s relationship with Russia changed. That means leaders have a system to build on as they develop a new strategy.

But there is a vital area the old plans never had to account for: cyberwarfare, which is expected to become an early focus for the commission.

“The cyber challenges were not known 25 years ago. They were even less taken care of by the system. So we need time,” von Sydow said.

He acknowledged it’s logical to assume digital strikes against infrastructure and the power grid would be the first move in any aggression by a great power. That could be particularly crippling to the civilian population if any attack came in winter. Imagine going days without heat or electricity with temperatures well below freezing.

Sweden doesn’t have to look far to see what damage could come from a digital-first strike. Estonia, located a short distance away, was infamously hit with a major cyberattack that crippled the government in 2007. And in 2015, Ukraine’s power grid was shut down via cyberattack; since then, other utilities have been taken offline. In both cases, analysts believe Russia was behind the attacks, and hence they can be seen as a preview of the kinds of activities that could come at the start of a Russian military action.

Sign up for our Early Bird BriefThe defense industry's most comprehensive news and information straight to your inbox

Sweden is preparing to turn its entire country against an invading force — and to hold out for three months until help arrives.

By: Aaron Mehta

“Sweden is like the U.S., a tremendously digitalized country,” von Sydow said. “In some areas, you would probably not be able to open a door without the digital performance. If electricity is out, or at least out and in, it would probably [have] tremendous effects.”

Magnus Nordenman of the Atlantic Council agrees Sweden is vulnerable to this kind of assault, as it is one of the most wired-in countries in the world. “On a good day, it’s very efficient,” Nordenman said. “But also, potentially, it’s exposed in a crisis.”

As a result, Akesson said, the commission has suggested the government work to craft new coordination on cybersecurity issues with private sector companies, as well as driving toward greater investment in military cyber capabilities.

“We see it more or less as a military instrument, and we will see how much we invest. Generally speaking, we are quite good at cyber things in Sweden. We have a lot of companies and engineers and people thinking about those issues,” Akesson noted.

Sweden is home to a vibrant technology scene. Music-streaming giant Spotify is based out of Stockholm, as is the business software company Wrapp. Outside of the city, Facebook selected the coastal town of Luleå as home to its its first data center outside the United States.

In Western countries, it can sometimes be a challenge to align the private sector with the government. Generally, the tech community has resisted top-down orders from the government, and famously avoids working on some projects because of stringent regulations and intellectual property requirements.

But Erik Brattberg with the Carnegie Endowment for International Peace suspects the domestic cyber industry won’t raise objections to working on new security standards or assisting the government with emergency preparations.

“In Sweden, there is a high trust of the government,” he said. “I would think companies are happy to try and play their role, as well. They recognize it is of their interest to be helpful, ultimately.”

To get a sense how cyber total defense might work, Sweden simply has to look next door to Finland, which never drew down its total defense plan and has worked to integrate cyber capabilities into its strategy.

“Not too long ago I read the research that Finnish networks were the best-protected in the world, and that’s [not only] because of what defense is doing, but because we have a very good level of that industry in Finland,” Finnish Defence Policy Director-General Janne Kuusela told Defense News during a recent visit to Washington.

“The interaction is already there. And we benefit a lot from having people who worked in this domain, in their civilian lives, so they are reservists and bring a lot of additional knowledge and interaction for the defense goals for us. It’s a good way of dealing with this.”

Whether Sweden can find the level of cyber resiliency it needs remains to be seen, but the Defence Commission intends to ensure resources are available. The current plan suggests that between 2021 and 2025, Sweden will need to invest 4.2 billion krona (U.S. $510.5 million) per year on its total defense proposals.